Recently, charities have adapted their work to become digitally aware and bring their staff and work online. The danger with adopting digital technologies and operating online is that more charities fall victim to cybercriminals than ever before.
Charities, by their very nature, hold funds, and personal, financial and commercial data, all of which are of interest to cybercriminals. Cybercriminals will send a ransom for access to your data if it's stolen or makes a profit if they steal the data and sell it to other criminals.
In the UK, we know that some charities know their data is sensitive, valuable and vulnerable to attack. But, many smaller charities do not realise this or do not perceive themselves as targets.
Whilst a smaller charity may not consider it a priority (or have the resources) to address their cyber protection, or they do not fully understand the threat. Therefore, we have created a list of Frequently Asked Questions (FAQ) to address the most commonly asked questions on why charities should take cyber security seriously.
What is a ‘cyber risk?’
Cyber risk is a potential exposure to loss or harm stemming from an organization’s information or communications systems.
What is cyber security?
Cyber security refers to protecting hardware, software, and data from attackers. The primary purpose of cyber security is to protect against cyberattacks like accessing, changing, or destroying sensitive information.
I'm a smaller charity; should I really have to worry about hackers?
The short answer is yes. Charities are subject to the same vulnerabilities as other organisations and businesses that conduct financial transactions and rely on electronically held data or information to conduct day-to-day operations.
The outward-facing nature of charities and a culture of trust in the sector make them particularly vulnerable to criminality.
What is ransomware?
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.
What is Malware?
Short for malicious software, malware is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
What types of cyber-attacks do charities face? How can I combat these?
Sadly, there any many ways that cybercriminals can choose to attack a charity or business. The NCSC’s Cyber Threat Assessment revealed the following types of attacks were the most prevalent of those reported:
Ransomware and extortion: Charities may be targeted directly, inadvertently affected by malware aimed elsewhere, or by mass indiscriminate campaigns seeking to exploit as many victims as possible. Malicious actors may steal or deny data access and delete or change it. Alternatively, attackers may steal and threaten to release data unless a payment is made (or another demand is met).
Business email attacks: Criminals may initially compromise the email accounts (usually business rather than personal accounts) of a company’s senior executives or accounts personnel. Fake emails are then sent ordering unsuspecting employees with financial authority to divert money transfers to the criminals’ accounts.
Fake organisation websites: Criminals exploit the credibility and appeal of charities to trick donors into giving money to what appears to be a legitimate charity. This is often achieved by creating fake websites and social media accounts. Some fraudulent websites and accounts are well-designed, functional and professional. Criminals react quickly to exploit global events to steal money disguised as donations.
What is a VPN?
VPN stands for Virtual Private Network. It is a network connection method for creating an encrypted and safe connection. Using a VPN protects your data from interference, snooping or censorship.
What can I do if I think I’m being/or have been attacked?
The North West Cyber Resilience Centre is here to provide help and guidance to protect and prevent businesses from falling victim to cybercrime. If you think you have fallen victim to a cybercrime, you must know how to report it.
If you are a business, charity or organisation that is currently suffering a live Cyberattack, please call Action Fraud's 24/7 helpline on 0300 123 2040.
You can report cybercrime and attempted fraud to the national fraud reporting service Action Fraud. Action Fraud is the UK’s national reporting centre for fraud and cybercrime, and it takes crime reports on behalf of the police and can provide you with guidance. They assess each crime and, where possible, pass it out to the most relevant law enforcement agency to investigate or offer bespoke protection advice.
How might a breach affect my charity?
Charities can face heavy fines if they suffer data breaches leading to the loss or exposure of confidential information. Not only do charities need to worry about the financial implications of the data breach, but the negative publicity and financial penalty together can be devastating for a charity.
A UK transgender charity was fined £25,000 by the Information Commissioners Office (ICO) for failing to keep the personal data of its users secure. The breach led to the names and email addresses of 550 people being searchable online.
Another example of a fine received by a charity was the British and Foreign Bible Society which was fined £100,000 by the Information Commissioners Office (ICO) after cyber hackers gained access to more than 400,000 supporters’ personal data.
How can I educate staff/volunteers who work for a charity about cyber security?
It's likely that in your small organisation, you don't have access to an IT department or technical team of staff who are responsible for cyber security. And with so much cyber security guidance out there, it can be difficult for small organisations to know where to begin.
At the Cyber Resilience Centre, we support charities with our guidance and Security Awareness Training. This training is tailored to those with no cyber knowledge and demonstrates how you can improve your organisation’s resilience and covers five key areas:
Backing up your organisation's data correctly.
Protecting your organisation against malware.
Keep the devices used by your employees secure.
The importance of creating strong passwords.
Defending your organisation against phishing.
Implement a Cyber Incident Response Plan
The training will put your staff in the driving seat. They will answer questions, identify possible issues, and suggest how to prevent and tackle common cybersecurity challenges.
What are the biggest Cyber Security Myths?
In the world of cybersecurity and cybercrime, there are a lot of myths, misconceptions and rumours shared between business owners and employees. To distinguish between fact and fiction, take a look at our latest guide on cyber security myths.
How can the Cyber Resilience Centre help a charity improve its cyber resilience?
The North West Cyber Resilience Centre is part of the national rollout of Cyber Resilience Centres in the UK. We aim for every charity and business within our region to have the skills and knowledge to protect themselves from online attacks to make the region one of the safest places to live, work and do business.
We offer a range of membership packages; our free membership is free and entitles you to:
A welcome pack includes guidance and tips to help you tackle local cyber threats.
Monthly newsletters and invitations to regular events and webinars.
Free and easy-to-follow cyber security guidance and NCSC toolkits for you to run with your employees.
Access to affordable and professional cyber security services, including a service that can test your website's strength against the most common cyber attacks.
Find local certifying bodies should you want to achieve Cyber Essentials or Cyber Essentials ‘Plus’ accreditation.
For further information regarding the help and support we can offer your charity or voluntary organisation, you can view our dedicated page for charities.
If you have any questions, contact niomie here.
